Shulou(Shulou.com)06/01 Report--

This article mainly shows you "kubernetes how to achieve communication between the modules of the cluster", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "kubernetes how to achieve communication between the modules of the cluster" this article.

One: communication structure diagram

Second: kubernetes client authentication method

Kubernetes provides three levels of client authentication to manage:

1. The strictest HTTPS Certificate Authentication: two-way Digital Certificate Authentication based on CA Root Certificate signature

2.HTTP Token authentication: identify legitimate users through a Token

3.HTTP Base authentication: authenticate by user name + password

The figure above shows how to use HTTPS certificate authentication.

Three: the mode of communication between the modules

In the cluster with TLS enabled, identity authentication is inevitable when interacting with the cluster. Using kubeconfig (certificate) and token authentication is the simplest and most general authentication method.

Kubeconfig is used to authenticate TLS between 1.kubectl and API Server.

2.kubelet and API Server use the combination of Token (bootstrap token) and Kubeconfig to authenticate TLS.

Token (Service Account Token) is used between 3.Pod and API Server to authenticate TLS.

4. Users outside the cluster provide http access through kubectl proxy (for testing purposes only)

5. Http access between Http controller manager and API Server (scheduler,controller manager,API Server is required to be deployed on the same server)

6.ETCD communicate with each other through TLS

Communication between 7.API Server and ETCD through TLS

TL authentication is carried out between 8.API SERVER and kube-proxy through kubeconfig

Four: kubectl communication settings

By default, kubectl looks for a file named config from the $HOME/.kube directory, or you can specify other kubeconfig files by setting the environment variable KUBECONFIG or by setting-- kubeconfig.

Click (here) to collapse or open

ETCD_CERT_FILE= "/ etc/kubernetes/ssl/kubernetes.pem"

ETCD_KEY_FILE= "/ etc/kubernetes/ssl/kubernetes-key.pem"

ETCD_TRUSTED_CA_FILE= "/ etc/kubernetes/ssl/ca.pem"

ETCD_PEER_CERT_FILE= "/ etc/kubernetes/ssl/kubernetes.pem"

ETCD_PEER_KEY_FILE= "/ etc/kubernetes/ssl/kubernetes-key.pem"

ETCD_PEER_TRUSTED_CA_FILE= "/ etc/kubernetes/ssl/ca.pem"

-- cert-file,--key-file sets the public and private keys of ETCD;-- peer-cert-file,--peer-key-file sets the public and private keys for communication between nodes of ETCD cluster;-- trusted-ca-file= sets client CA certificates;-- peer-trusted-ca-file sets CA certificates of each node of ETCD cluster.

Six: API Server and ETCD cluster communication settings (apiserver configuration file)

This is API Server's.

CA public key certificate

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.